4.6 Using Engine
OpenSSL has support for accelerating embedded password. Using the engine object model, an application can obtain a variable reference model that is mostly a hardware device in the following description. This support is in version 0.9.6 in OpenSSL, the name of the engine appears in this release; this support will be restricted in the main branch of OpenSSL, starting from its 0.9.7 version. 0.9.7 This version will have more robust characteristics for detailed description of the engine bag, while 0.9.6 engine includes some simple features to establish an engine object. These functions have not changed during writing. If there is a change, we will upgrade our website based on related information. Probably the idea is very simple: We look for an object to represent the hardware type we want to use, and then we tell OpenSSL to use our own devices. Example 4-17 provides a short program code, with example to explain how we implements this operation.
??? 4-17 Allows the use of hardware engines
Engine * e;
IF (! (e = engine_by_id ("cswift")))))))
FPRINTF (stderr, "error finding specified engine / n");
Else if (! engine_set_default (e, engine_method_all))
FPRINTF (stderr, "error useming engine / n");
Else
FPRINTF (stderr, "engine servicefully enabled / n")
This function is called Engine_By_ID, which will be queried and executed in the method you can use, and return an engine object. Single parameters in this function should be equivalent to connecting our next execution process. Table 4-2 shows the method you can use to support hardware and software encoding.
Table 4-2. Support hardware and software engine
The OpenSSL engine uses normal embedding to function for encryption.
This is the default.
OpenBSD_DEV_CRYPTO is built on an open BSD operating system, which uses a core-level intact in an operating system.
CSWIFT is used for hardware password acceleration.
Chil is used for NCIPHER CHIL hardware acceleration.
Atalla is used in Corpine Atalla hardware acceleration.
NURON is used for NURON hardware acceleration.
Ubsec is used for Broadcom Ubsec hardware acceleration.
AEP is used for AEP hardware acceleration.
SUREWARE is used for SureWare hardware acceleration.
The engine object we query should be used to notify Engine_set_default to allow the encrypted function area to use specific engines. The second parameter allows us to explain that we allow the operation of the engine to work. For example, if we have a engine that can only work on RSA, send a request as described in Example 4-17, this request will give RSA to the engine. On the other hand, if we request engine_set_default to request engine_method_dsa while using our RSA engine, OpenSSL will not allow any engine to encrypt requests because this flag allows the engine to work only on the DSA function. Table 4-3 provides a full list of us using restrictions. They can bind together on logic OR operations.
Table 4-3, ENGINE_SET_DEFAULT Sign
Sign bit
The engine_method_rsa restriction engine is only used for RSA operations.
The engine_method_dsa restriction engine is only used for DSA operations.
The engine_method_dh restriction engine is only used for DH operations.
The engine_method_rand limit engine is only used for random number.
The engine_method_ciphers restriction engine is only used to balance zero operations.
The engine_method_digests restriction engine is only used for digestive operations.
Engine_Method_all allows OpenSSL to use any of the above mentioned execution functions.
Remove the settings the default engine, the engine object can be typically applied to the 0.9.7 version of the other places OpenSSL. For example, the EVP_Encryptinit function can be exempted from errors and can be replaced by EVP_ENCRYPTINIT_EX. The "EX" function here with an additional parameter: engine object. Roughly, these replacement functions can assign the engine object with an null value, we can let OpenSSL use the default engine. If we have requested engine_set_default, the default engine has changed again; if there is no such request, the embedded software will be applied. Applying these new "EX" functions is to allow more good operations to apply to each request encryption instrument. This is especially useful for us to have multiple password accelerators, and we can use them according to applications.
Chapter 5? SSL / TLS Programming
The main feature of the OpenSSL library is its secure interface layer (SSL) and a transport layer security (TLS) protocol. At first was developed by Netscape Company to protect the security of online transactions, this agreement now has become a universal thread communication security guarantee. Netscape Company is the first version of the SSL2 now called SSL2 when the Open Version of SSL is.
5.1ssl programming
OpenSSL is a procedure for the US Petroleum Association for SSL. As discussed in Chapter 1, SSL may be inefficient in completing its security objectives. These factors are mixed for developers a difficult job. In the hope of the implementation of the idea, we attack the problem in three steps. In each step, the developer must provide some application-special medicine knowledge to determine SSL to do its work. For example, the design circle browser that is highly co-integrated by a developer will be different from the man who is doing a developer of a highly unaptuous server.
When a SSL customer is implemented, the following steps provide developers with a plate compliance or server. We will start because of a small example and it is established. This example will take into account our satisfaction until all steps have been thought of. In each step, we will introduce a small dose of the US Petroleum Association; after all steps, developers should be able to design a SSL to make the application make more clear. Completing these steps is not the end of the road, however. In order to spend a number of applications, we need to further go further and investigate further characteristics of the US Petroleum Association.
5.1.1 Safety Application
We will use two very simple applications: customers and servers from the customer to the console. Our goals should add two applications so that they can run their work. In other words, we will implement each program to prove connections. When we generate SSL program translations through the path, we believe that every developer must do this during this period.
There are four files there: Common.h, Common.c, Client.c and Server.c. Decoding is given in Example 5-1. 5-4 also has the decoding we use in Example 4-2, so we can operate multithreaded, such as UNIX systems, we can continue to use POSIX threads.
Example 5-1. Common.h
1 #include
2 #include
3 #include
4 #include
5 #include
6
7 #ifndef Win32
8 #include
9 #Define thread_cc
10 #Define thread_type pthread_t
11 #define thread_create (TID, Entry, Arg) Pthread_create (& (TID), NULL, /
12 (Entry), (arg))
13 #Else
14 #include
15 #Define thread_cc _ _CDECL
16 # DEFINE THREAD_TYPE DWORD
17 #define thread_create (TID, Entry, Arg) DO {_BeginThread ((Entry), 0,
(arg)); /
18 (TID) =
GetCurrentThreadId (); /
19} while (0)
20 #ENDIF
twenty one
22 # DEFINE Port "6001"
23 # DEFINE Server "splat.zork.org"
24 # DEFINE Client "shell.zork.org"
25
26 #define int_error (msg) Handle_ERROR (__ file__, __line_ _, msg)
27 Void Handle_ERROR (Const Char * file, int Lineno, Const Char * MSG);
Twist
29 Void Init_OpenSSL (Void);
Example 5-2, Common.c, report the next definition of Handle_Error to the error function. Error handling is a bit in this application example, you will prefer to use your own error in a more friendly interface. In summary, it does not apply to all error handling, the common.c file also defines the initialization function, initialization library, and calls the error string when the error occurs and prints the error, and we get readable Error message. Call these diagnostic information from memory. Typically, these diagnostic information is called in the work decoding error is a good way.
??? Just as we built in SSL support, Common.c will obtain the execution function through the user and server, and Common.h will get the data prototype.
Example 5-2. Common.c
1 #include "common.h"
2
3 void Handle_ERROR (const char * file, int lineeno, const char * msg)
4 {
5 fprintf (stderr, "**% s:% I% S / N", File, Lineno, MSG);
6 Err_Print_ERRORS_FP (STDERR);
7 exit (-1);
8 }
9
10 void init_openssl (void)
11 {
12 if (! Thread_setup () ||! SSL_Library_init ())
13 {
14 fprintf (stderr, "** openssl initialization failed! / N");
15 exit (-1);
16}
17 SSL_LOAD_ERROR_STRINGS ();
18}
A large number of customers are applied in Example 5-3, Client.c. At higher levels, it produces a connection to the 6001 service port, as specified in Common.h. Once the connection is established, it reads the data from the stdin before the EOF arrives. As is read from the internal, the server is sent to the connected server. Note this, although we can use the OpenSSL to communicate, we can still use the SSL protocol. Line 27-29 established a new BIO object from BIO_S_CONNECT to BIO_METHOD; BIO_NEW_CONNECT is a simple function of completing tasks. If there is no error, the 31-32 line actually makes a TCP connection and check the error. When a connection is successful, Do_client_loop continues to read data and write data into Stdin. If the error occurs when writing or EOF is received while reading the console, this function exits, the program ends.
Example 5-3 Client.c
1 #include "common.h"
2
3 void do_client_loop (BIO * CONN)
4 {
5 int err, nwritten; 6 char buf [80];
Seduce
8 for (;;)
9 {
10 IF (! Fgets (buf, sizeof (buf), stdin)
11 Break;
12 for (nwritten = 0; nwritten Err) 13 { 14 Err = BIO_WRITE (CONN, BUF NWRITEN, STRLEN (BUF) - nwritten; 15 IF (Err <= 0) 16 return; 17} 18} 19} 20 21 int Main (int Argc, char * argv []) twenty two { 23 bio * conn; twenty four 25 init_openssl (); 26 27 conn = BIO_NEW_CONNECT (Server ":" port); 28 if (! Conn) 29 int_ERROR ("Error Creating Connection Bio); 30 31 IF (BIO_DO_CONNECT (CONN) <= 0) 32 INT_ERROR ("Error Connecting to Remote Machine); 33 34 FPRINTF (stderr, "connection opened / n"); 35 DO_CLIENT_LOOP (CONN); 36 fprintf (stderr, "connection closed / n"); 37 38 BIO_FREE (CONN); 39 returnography; 40} Server Application In Example 5-4, Server.c, which is different from other user programs in many ways. When we use the initialization function, it causes a different Bio class, a class from BIO_S_ACCEPT to Bio_Method, which generates a server interface to accept long-distance transmission. On the 50-51 line, there is a BIO_DO_ACCEPT bundled interface for the 6001 port; the BIO_DO_ACCEPT will be locked to wait for a long-distance connection. The loop continues to a connection success, generates a connection generated, generating a new connection thread, DO_SERVER_LOOP, and writing back to STDOUT from the interface. If an error is there, the function returns and threads. For example, generate an error queue memory for 33 line err_remove_state for threads. Example 5-4. Server application 1 #include "common.h" 2 3 void do_server_loop (BIO * CONN) 4 { 5 int err, nread; 6 char buf [80]; Seduce 8 DO 9 { 10 for (Nread = 0; NREAD 11 { 12 Err = BIO_READ (CONN, BUF NREAD, SIZEOF (BUF) - NREAD); 13 IF (Err <= 0) 14 Break; 15} 16 FWRITE (BUF, 1, NREAD, STDOUT); 17} 18 While (Err> 0); 19} 20 21 void thread_cc server_thread (void * arg) twenty two { 23 Bio * Client = (BIO *) arg; 2425 #ifndef Win32 26 pthread_detach (pthread_self ()); 27 #ENDIF 28 FPRINTF (stderr, "connection opened./n"); 29 Do_Server_Loop (Client); 30 fprintf (stderr, "connection closed./n"); 31 32 Bio_Free (client); 33 Err_Remove_State (0); 34 #ifdef win32 35 _endthread (); 36 #ENDIF 37} 38 39 Int Main (int Argc, char * argv []) 40 { 41 BIO * ACC, * client; 42 Thread_Type Tid; 43 44 init_openssl (); 45 46 ACC = BIO_NEW_ACCEPT (Port); 47 if (! ACC) 48 INT_ERROR ("Error Creating Server Socket"; 49 50 IF (BIO_DO_ACCEPT (ACC) <= 0) 51 int_ERROR ("Error Binding Server Socket"; 52 53 for (;;) 54 { 55 IF (BIO_DO_ACCEPT (ACC) <= 0) 56 INT_ERROR ("Error Accepting Connection"); 57 58 Client = BIO_POP (ACC); 59 thread_create (TID, Server_Thread, Client); 60} 61 62 BIO_FREE (ACC); 63 returnograph; 64} Now we understand the instance application, we will gradually learn to use SSL communication. 5.1.2 Step 1 :: SSL Version Selection and Certificate Preparation For SSL connection safety, we must provide accurate proof information to ensure the correctness of the proper version and provide accurate proof information. Since this is our preliminary understanding of the SSL API, we will hide the background information of features and structure.
